Closed Bug 1070213 Opened 10 years ago Closed 8 years ago

Review SecurityDomain implementation


(Firefox Graveyard :: Shumway, defect)

Not set


(Not tracked)



(Reporter: mwobensmith, Assigned: till)




(2 files)

This is a page containing very basic tests of cross-domain loaded SWFs scripting each other. The ability to safely load and permit cross-domain SWF scripting is a feature that will be required to support ads and other types of content that utilize a parent loading SWF.

Currently, Shumway does not sandbox SWFs by domain and therefore has no permission mechanism to test.

Examples here are AVM1 and AVM2, and simply check to see if they can read a variable across a domain boundary.

Not tested:
- Anything other than allowDomain("*")
- Cross-protocol scripting
- Redirects
- Other types of data access
Affects dynamically loaded ads.
Blocks: shumway-m4
Summary: Shumway M3 milestone: Implement SWF domain sandboxing → Implement SWF domain sandboxing
Summary: Implement SWF domain sandboxing → Implement SecurityDomains
Matt, could you perhaps put a crossdomain.xml file on both domains allowing access to each other? I know that it's not required for your test case in the Flash plugin, but it would make testing easier for us as long as we have the "only load SWFs from domains that allow data loading" restriction in place.

We have SecurityDomains implemented, and I'd like to test how well they work.
Flags: needinfo?(mwobensmith)
Hi Till - I'm happy to do so.

Obviously there are many ways to configure policy files. Create the policy files you want to test with and get them to me (here in the bug or send to me directly) and I'll stage them ASAP. 

Make sure to specify if you want them in a given directory or in the root - or both.

Flags: needinfo?(mwobensmith) → needinfo?(till)
Great, thanks!

We only want to test the SecurityDomain functionality here, so the crossdomain.xml file can just allow everything: it doesn't matter much. Either "*" or the other SWF's domain would be great.
Flags: needinfo?(till)
OK, will do. Is this a root policy file? Or in the same directory as the SWF?
Flags: needinfo?(till)
(In reply to Matt Wobensmith from comment #7)
> OK, will do. Is this a root policy file? Or in the same directory as the SWF?

A root file would be great. I'm not sure we already support the same-directory version.
Flags: needinfo?(till)
I've put a permissive policy file at:

So, SWFs that load from the parent domain of should be working.

However, I can't put root policy files on because I don't control that domain, so tests here where the child wants to access the parent won't work. 

If this is enough to validate your work on SecurityDomains, great. I suspect, though, that for more testing you'll need to emulate multi-domain data access, as well as HTTPS and all of the directives that can be used in a policy file. Sadly that is more than I can provide at this time, but would be happy to work with you on that in the future.
Oops, correction:

I've put a permissive policy file at:

And not in the directory mentioned above.

Otherwise, all other comments are the same.
Assignee: nobody → till
Blocks: shumway-later
No longer blocks: shumway-m4
Summary: Implement SecurityDomains → Review SecurityDomain implementation
Version: 35 Branch → Trunk
Product: Firefox → Firefox Graveyard
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.